Cyberspace threats: who's in charge and are they up to it?

MARK COLVIN: The world wide web is more than two decades old, yet big companies and even governments are in many cases still woefully underprepared to protect their own security in cyberspace.

A new book called Cybersecurity and Cyberwar: what everyone needs to know exposes serious ignorance and incompetence in surprisingly high places.

One of its two co-writers is the director of the 21st Century Defence Initiative at the Brookings Institution in Washington, Peter W. Singer.

I began by asking him about an example from Australia.

PETER W. SINGER: The Australia example was an official who in US parlance we'd describe him as a policy czar, someone with a great amount of expertise and leadership responsibility for cybersecurity, and in testimony, they admitted that they'd never heard of Tor, which is one of the most crucial technologies when you're talking about some of the new things that are playing off in this space.

Now, the point is we can mock them, but the bottom line is that that level of ignorance, that lack of awareness, is happening in a number of nations and not just in governments but also in businesses. One survey found that 70 per cent of executives - not 70 per cent of technology executives or security executives, but 70 per cent of business executives in general - have made some kind of cyber security decision for their company and yet no major business management program teaches that as part of your normal responsibility.

MARK COLVIN: I noted that when Tony Blair ceased to be prime minister of Great Britain, he said that one of the things that he was going to do was learn how to use email. Is that kind of thing common in very senior jobs still?

PETER W. SINGER: Unfortunately it is. The examples we have from the United States in the book are the former, she was most recently, Secretary of Homeland Security - that's the civilian agency in the US that's ostensibly in charge of cyber security among other measures, and she told us how, quite proudly, that she didn't use email, and in fact hadn't used social media for over a decade not because she didn't think it was secure, but because she just didn't think it was useful.

Our Supreme Court, which is in the upcoming year going to decide issues that range from the constitutionality of some of the NSA (National Security Agency) activities to net neutrality questions, one of the Supreme Court justices described how they "hadn't yet gotten around to email" - hadn't yet got around to it, at some point they will.

MARK COLVIN: So the Supreme Court is pretty much entirely paper-based, and yet it's going to have to make these very important decisions about how the NSA is spying on the world and to quite a large extent on Americans?

PETER W. SINGER: Yes, and it's a good example of how, while technology constantly moves at an exponential pace, our policies, our laws and institutions that drive them really are moving at a glacial pace, and we can see that in the justice system. For example, our Supreme Court just got around to a case that involved the monitoring of beepers, if you remember that technology.

(Mark Colvin laughs)

Our Congress…

MARK COLVIN: So this would be a case about something which really nobody uses anymore?

PETER W. SINGER: There's a wonderful episode where two of the Supreme Court justices have a back and forth where neither one of them understands what a beeper is and how they work. They're like, "you press a button and it beeps?"

It's a wonderfully hilarious episode, but it illustrates this point of how things are moving. You can see this in our legislatures. In the United States, for example, our Congress has not passed major cybersecurity legislation since 2002. That's five years before any of us had heard of the iPhone, let alone today's issues of metadata, Google Glass, you name it, and that's repeated not just in our Congress but in parliaments around the world.

So again, this issue is incredibly important, and yet the basics of it, our political systems but also people in responsibility in business, in journalism, in law, et cetera, are not really well equipped to handle it.

I need to be very clear here. We treat it as this complex technology area only for the IT crowd, but the basics of it are easy to understand, and that's the point of the book which is to try and walk people through how does it all work, why does it all matter and most importantly what can we do about it?

MARK COLVIN: But why does it matter? I mean, where are the threats coming from? Let's stay with international security and the issues of cyber war. Is there cyber war going on?

PETER W. SINGER: There is definitely a conflict playing out in this space. The problem with the term cyber war is that it's become so abused that everyone's taking very different meanings from it. And almost like the word war itself, where we see war describing everything from, you know, in the US, we have the war on poverty, the war on drugs, to Fox's claim of a war on Christmas, and then the things that actually are war we don't describe them that way; so various military campaigns around the world.

So what's happening in this space is that there are many things that we lump together in the popular narrative of war, but in turn we don't focus on cyber war activities, which is the growing military use of this. So as an example, a major magazine had a cover story that was titled Cyber War and it had a digital mushroom cloud over a city, but if you read the article, it was about credit card fraud as opposed to there's very real arms races building in this space.

More than 100 different nations have created some kind of cyber military command that all are trained and equipping for growing conflict. And as long as we use the internet there will be cyber threats, there will be cyber war, there will be cyber conflict. The question is how can we manage them?

MARK COLVIN: Peter W. Singer, and there'll be more from him tomorrow about China, the NSA and how to protect your own online security.

He's director of the 21st Century Defence Initiative at the Brookings Institution in Washington.

Note: more information about the book and author can be found at cybersecuritybook.com